Edit tour

Windows Analysis Report
bC61G18iPf.dll

Overview

General Information

Sample name:	bC61G18iPf.dll renamed because original name is a hash value
Original sample name:	b01b4dbaeab5353347d09642c0454cef.dll
Analysis ID:	1591811
MD5:	b01b4dbaeab5353347d09642c0454cef
SHA1:	bb043b2adbdb267e4b526c6428cf5eef5111015c
SHA256:	115e716481945844a24a4c4e21cec431792bffcb2bb6a05728e829742ba9bcf6
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many IPs within the same subnet mask (likely port scanning)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5396 cmdline: loaddll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5844 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2300 cmdline: rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3292 cmdline: rundll32.exe C:\Users\user\Desktop\bC61G18iPf.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 3620 cmdline: C:\WINDOWS\mssecsvc.exe MD5: A2882AE67399CA859277CFFE04F10E18)

tasksche.exe (PID: 940 cmdline: C:\WINDOWS\tasksche.exe /i MD5: E19F8CB58CEEDE7D421A4BD320109DEA)

rundll32.exe (PID: 1496 cmdline: rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 1988 cmdline: C:\WINDOWS\mssecsvc.exe MD5: A2882AE67399CA859277CFFE04F10E18)

tasksche.exe (PID: 1472 cmdline: C:\WINDOWS\tasksche.exe /i MD5: E19F8CB58CEEDE7D421A4BD320109DEA)

mssecsvc.exe (PID: 5404 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: A2882AE67399CA859277CFFE04F10E18)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bC61G18iPf.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
bC61G18iPf.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
bC61G18iPf.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000000.2336119939.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.2325863746.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.2328376091.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000002.2336486980.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2302246591.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2336851400.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2317713903.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 3620	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 5404	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 1988	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvc.exe.23d38c8.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.1eb3084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.1ee5128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ee5128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ee5128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ee5128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.240596c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.240596c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.240596c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.240596c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23e2948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23e2948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23e2948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.23e2948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ec2104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ec2104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ec2104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1ec2104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.240596c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.240596c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.240596c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.240596c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1ee5128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ee5128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ee5128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ee5128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23d38c8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23d38c8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.23d38c8.6.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1ebe0a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ebe0a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ebe0a4.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1eb3084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1eb3084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x283de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x273bb0:$x3: tasksche.exe 0x283dc0:$x3: tasksche.exe 0x283d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x283e14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x273c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x23e26c:$x7: mssecsvc.exe 0x259b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x273b88:$x8: C:\%s\qeriuwjhrf 0x283de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x23e254:$s1: C:\%s\%s 0x259b7c:$s1: C:\%s\%s 0x273b9c:$s1: C:\%s\%s 0x283d14:$s3: cmd.exe /c "%s" 0x2b6268:$s4: msg/m_portuguese.wnry
7.2.mssecsvc.exe.1eb3084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1eb3084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x283dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x283de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1eb3084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2768fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24a8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24c25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27c0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23e2948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23e2948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23e2948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23de8e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23de8e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23de8e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ec2104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ec2104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x5089ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5089d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50d5a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ec2104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 135 entries

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878784+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.5	49756	TCP
2025-01-15T14:05:27.712534+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.5	49762	TCP
2025-01-15T14:05:28.730630+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.5	49781	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.341899+0100	2024291	1	A Network Trojan was detected	192.168.2.5	57313	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878647+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49781	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878647+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49781	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878647+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49781	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878647+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49781	104.16.167.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:05:26.878647+0100	2803304	3	Unknown Traffic	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2803304	3	Unknown Traffic	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2803304	3	Unknown Traffic	192.168.2.5	49781	104.16.167.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bC61G18iPf.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 93%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Source: bC61G18iPf.dll	ReversingLabs: Detection: 94%
Source: bC61G18iPf.dll	Virustotal: Detection: 89%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bC61G18iPf.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 10_2_004018B9 CryptReleaseContext,

10_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: bC61G18iPf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49781 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49756 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49781 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49756 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49781 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49781 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49756 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49756 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49762 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49762 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49762 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49762 -> 104.16.167.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:05:26 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902613ce9826f5fa-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:05:27 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902613d3bc48c343-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:05:28 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902613da282f7c9a-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Connects to many IPs within the same subnet mask (likely port scanning)

Source: global traffic

TCP traffic: Count: 10 IPs: 191.52.146.5,191.52.146.6,191.52.146.3,191.52.146.4,191.52.146.1,191.52.146.2,191.52.146.125,191.52.146.9,191.52.146.7,191.52.146.8

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49756 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.5:57313 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49781 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49762 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.5:49756
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.5:49781
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.5:49762

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.119
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.119
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.119
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.119
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 163.149.244.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.125
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.125
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.125
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.125
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 191.52.146.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.211
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.211
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.211
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.211
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 213.39.119.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.227
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.227
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.227
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.227
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.126.4.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: bC61G18iPf.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2329133758.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2959897169.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com//
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/5
Source: mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5
Source: mssecsvc.exe, 00000007.00000002.2959289660.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,memcmp,strrchr,GlobalAlloc,_local_unwind2, WANACRY!		10_2_004014A6
Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,memcmp,strrchr,GlobalAlloc,_local_unwind2, WANACRY!		10_2_004014B3

Yara detected Wannacry ransomware

Source: Yara match	File source: bC61G18iPf.dll, type: SAMPLE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23d38c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ebe0a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23e2948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23de8e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ec2104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2328376091.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2302246591.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2336851400.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2317713903.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 1988, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: bC61G18iPf.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: bC61G18iPf.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23d38c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1eb3084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23d38c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23d38c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1ebe0a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ebe0a4.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23e2948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23e2948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23de8e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23de8e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ec2104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ec2104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.2336119939.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2325863746.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.2336486980.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 10_2_00406C40	10_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402A76	10_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402E7E	10_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040350F	10_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00404C19	10_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040541F	10_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00403797	10_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 10_2_004043B7	10_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 10_2_004031BC	10_2_004031BC

Source: tasksche.exe.6.dr

Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: bC61G18iPf.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: bC61G18iPf.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: bC61G18iPf.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23d38c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1eb3084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ee5128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.240596c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.23e2948.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1ec2104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.240596c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ee5128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23d38c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23d38c8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1ebe0a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ebe0a4.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1eb3084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23e2948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23e2948.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23de8e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23de8e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ec2104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ec2104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.2336119939.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2325863746.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.2336486980.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000000.2336119939.000000000040E000.00000008.00000001.01000000.00000007.sdmp, bC61G18iPf.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winDLL@20/2@1/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	7_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03

Source: bC61G18iPf.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bC61G18iPf.dll,PlayGame

Source: bC61G18iPf.dll	ReversingLabs: Detection: 94%
Source: bC61G18iPf.dll	Virustotal: Detection: 89%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bC61G18iPf.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",PlayGame
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bC61G18iPf.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: bC61G18iPf.dll

Static file information: File size 5267459 > 1048576

Source: bC61G18iPf.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 10_2_00407710 push eax; ret		10_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 10_2_004076C8 push eax; ret		10_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 2148	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2148	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2136	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2136	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2148	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhW
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2959897169.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 00000006.00000002.2329133758.0000000000D67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: mssecsvc.exe, 00000007.00000002.2959897169.0000000000D08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 10_2_004029CC free,GetProcessHeap,HeapFree,

10_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bC61G18iPf.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
bC61G18iPf.dll	90%	Virustotal		Browse
bC61G18iPf.dll	100%	Avira	TR/AD.WannaCry.cxhsa
bC61G18iPf.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label	Link
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	true	false		high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	bC61G18iPf.dll	false		high
https://www.kryptoslogic.com	mssecsvc.exe, 00000006.00000002.2329133758.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com//	mssecsvc.exe, 00000006.00000002.2329133758.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5	mssecsvc.exe, 0000000B.00000002.2337272533.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/5	mssecsvc.exe, 00000006.00000002.2329133758.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000007.00000002.2959289660.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.53.29.147	unknown	United States	7377	UCSDUS	false
41.215.205.230	unknown	unknown	36974	AFNET-ASCI	false
191.52.146.5	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.6	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.3	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.4	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.1	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.2	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
90.146.13.201	unknown	Austria	12605	LIWEST-ATLinzAustriaAT	false
191.52.146.9	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
11.170.45.231	unknown	United States	3356	LEVEL3US	false
191.52.146.7	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
191.52.146.8	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
122.150.85.1	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
64.111.49.1	unknown	United States	62943	AS62943-BLUEBIRD-NETWORKUS	false
192.201.193.167	unknown	United States	10912	INTERNAP-BLKUS	false
122.150.85.142	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
166.112.213.83	unknown	United States	58681	NSWPOLSERV-AS-APNewSouthWalesPoliceAU	false
213.39.119.211	unknown	United Kingdom	3257	GTT-BACKBONEGTTDE	false
191.65.111.1	unknown	Colombia	26611	COMCELSACO	false
192.201.193.1	unknown	United States	10912	INTERNAP-BLKUS	false
97.151.157.92	unknown	United States	6167	CELLCO-PARTUS	false
90.146.13.1	unknown	Austria	12605	LIWEST-ATLinzAustriaAT	false
191.52.146.125	unknown	Brazil	263282	FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	true
31.211.10.2	unknown	Russian Federation	31036	NEWTELESYSTEMSRU	false
163.149.244.1	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
31.211.10.1	unknown	Russian Federation	31036	NEWTELESYSTEMSRU	false
163.149.244.2	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
117.121.16.142	unknown	China	56048	CMNET-BEIJING-APChinaMobileCommunicaitonsCorporationCN	false
11.170.45.1	unknown	United States	3356	LEVEL3US	false
182.175.152.2	unknown	China	23724	CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation	false
96.157.153.1	unknown	United States	7922	COMCAST-7922US	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591811
Start date and time:	2025-01-15 14:04:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bC61G18iPf.dll renamed because original name is a hash value
Original Sample Name:	b01b4dbaeab5353347d09642c0454cef.dll
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winDLL@20/2@1/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.17.190.73, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 940 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:05:26	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:06:01	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	RFQ # PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ # PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086	Get hash	malicious	Unknown	Browse	13.107.246.45
	Setup_BrightSlide_1.0.9.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	9179390927_20250115_155451.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclG	Get hash	malicious	Unknown	Browse	13.107.246.45
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	13.107.246.45
	http://jfdhq.offerpeercheck.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	T1#U5b89#U88c5#U53051.0.3.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	XB6SkLK7Al.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ue5QSYCBPt.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	xjljKPlxqO.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	FAuEwllF3K.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	6fRzgDuqWT.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	9kNjKSEUym.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	v9xYj92wR3.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AFNET-ASCI	mips.elf	Get hash	malicious	Mirai	Browse	41.191.191.237
	meth2.elf	Get hash	malicious	Mirai	Browse	41.74.104.190
	meth7.elf	Get hash	malicious	Mirai	Browse	41.191.191.213
	3.elf	Get hash	malicious	Unknown	Browse	41.205.177.147
	6.elf	Get hash	malicious	Unknown	Browse	41.245.1.230
	3.elf	Get hash	malicious	Unknown	Browse	197.149.159.252
	5.elf	Get hash	malicious	Unknown	Browse	41.190.177.142
	6.elf	Get hash	malicious	Unknown	Browse	41.77.181.110
	sora.arm.elf	Get hash	malicious	Unknown	Browse	41.206.243.192
	5.elf	Get hash	malicious	Unknown	Browse	41.67.115.119
UCSDUS	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	44.101.207.1
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	44.86.39.2
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	44.161.110.199
	meth8.elf	Get hash	malicious	Mirai	Browse	44.63.122.194
	arm4.elf	Get hash	malicious	Unknown	Browse	44.60.240.87
	m68k.elf	Get hash	malicious	Unknown	Browse	44.37.223.28
	x86.elf	Get hash	malicious	Unknown	Browse	44.91.54.217
	meth14.elf	Get hash	malicious	Mirai	Browse	44.101.168.151
	meth9.elf	Get hash	malicious	Mirai	Browse	44.77.55.220
	mips.elf	Get hash	malicious	Unknown	Browse	44.91.54.239
FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	191.52.211.63
	D1b2MTIAkl.elf	Get hash	malicious	Mirai	Browse	191.52.144.191
	nOQTzd9ke3.elf	Get hash	malicious	Mirai	Browse	191.52.178.6
FUNDACAOUNIVERSIDADEDOOESTEDESANTACATARINABR	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	191.52.211.63
	D1b2MTIAkl.elf	Get hash	malicious	Mirai	Browse	191.52.144.191
	nOQTzd9ke3.elf	Get hash	malicious	Mirai	Browse	191.52.178.6

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	2.653697081012079
Encrypted:	false
SSDEEP:	12288:nQhMbaIMu7L5NVErCA4z2g6rTcbckPM82900Ve7zw+K+DHeQYSUjEXFGeXE3:nQhfdmMSirYbcMNgef0QeQjG
MD5:	E19F8CB58CEEDE7D421A4BD320109DEA
SHA1:	7BA8A6E8CDE8242A25A0DA60BDECA1F3EC0BF5E5
SHA-256:	6E1A97463DBCF36E2CD74678E7F2626F2516ECD0831AC2EADDD1FCAEAD58EEA4
SHA-512:	3A0A52CF2367371BAB0D3FEE28EE4AC3DA0B5621361455A4D6F76F252B26181222AE884782F333B1E4F825B6C1D1AAF0A9AB49A52A585672859546E58F076AEA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	2.653697081012079
Encrypted:	false
SSDEEP:	12288:nQhMbaIMu7L5NVErCA4z2g6rTcbckPM82900Ve7zw+K+DHeQYSUjEXFGeXE3:nQhfdmMSirYbcMNgef0QeQjG
MD5:	E19F8CB58CEEDE7D421A4BD320109DEA
SHA1:	7BA8A6E8CDE8242A25A0DA60BDECA1F3EC0BF5E5
SHA-256:	6E1A97463DBCF36E2CD74678E7F2626F2516ECD0831AC2EADDD1FCAEAD58EEA4
SHA-512:	3A0A52CF2367371BAB0D3FEE28EE4AC3DA0B5621361455A4D6F76F252B26181222AE884782F333B1E4F825B6C1D1AAF0A9AB49A52A585672859546E58F076AEA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.1638785160936123
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bC61G18iPf.dll
File size:	5'267'459 bytes
MD5:	b01b4dbaeab5353347d09642c0454cef
SHA1:	bb043b2adbdb267e4b526c6428cf5eef5111015c
SHA256:	115e716481945844a24a4c4e21cec431792bffcb2bb6a05728e829742ba9bcf6
SHA512:	e6483b7a2e65a7e9766ed2d2bee35d44bde6c3e917e26eb1b19e837730d9189f214c75765511a4db6b9d769f1edea7943ffe9d4b65b3159139f1be177b838c2c
SSDEEP:	12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPM82900Ve7zw+K+DHeQYSUjEXFO:SbLgddQhfdmMSirYbcMNgef0QeQjG
TLSH:	D8362259766C91FCC10A627574634A26A6B73C9A32BD960F8F9087620D03760FFB8F47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F61D4E275ABh
cmp dword ptr [10003140h], 00000000h
jmp 00007F61D4E275C8h
cmp esi, 01h
je 00007F61D4E275A7h
cmp esi, 02h
jne 00007F61D4E275C4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F61D4E275ABh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F61D4E275AEh
push edi
push esi
push ebx
call 00007F61D4E274BAh
test eax, eax
jne 00007F61D4E275A6h
xor eax, eax
jmp 00007F61D4E275F0h
push edi
push esi
push ebx
call 00007F61D4E2736Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F61D4E275AEh
test eax, eax
jne 00007F61D4E275D9h
push edi
push eax
push ebx
call 00007F61D4E27496h
test esi, esi
je 00007F61D4E275A7h
cmp esi, 03h
jne 00007F61D4E275C8h
push edi
push esi
push ebx
call 00007F61D4E27485h
test eax, eax
jne 00007F61D4E275A5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F61D4E275B3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F61D4E275AAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	0fd6ed761a6c6531a0442c9ee9ba5e3c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770942687988281

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T14:05:26.341899+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.5	57313	1.1.1.1	53	UDP
2025-01-15T14:05:26.878647+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:26.878647+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:26.878647+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:26.878647+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:26.878647+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49756	104.16.167.228	80	TCP
2025-01-15T14:05:26.878784+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.5	49756	TCP
2025-01-15T14:05:27.707661+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:27.707661+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49762	104.16.167.228	80	TCP
2025-01-15T14:05:27.712534+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.5	49762	TCP
2025-01-15T14:05:28.728982+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49781	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49781	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49781	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49781	104.16.167.228	80	TCP
2025-01-15T14:05:28.728982+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49781	104.16.167.228	80	TCP
2025-01-15T14:05:28.730630+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.5	49781	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 14:05:16.669070959 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 14:05:16.684699059 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 14:05:16.778374910 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 14:05:18.427697897 CET	443	49704	23.1.237.91	192.168.2.5
Jan 15, 2025 14:05:18.427854061 CET	49704	443	192.168.2.5	23.1.237.91
Jan 15, 2025 14:05:26.386008978 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.391060114 CET	80	49756	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:26.391166925 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.391333103 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.396130085 CET	80	49756	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:26.878580093 CET	80	49756	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:26.878647089 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.878783941 CET	80	49756	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:26.878823996 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.878863096 CET	49756	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:26.883760929 CET	80	49756	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.219410896 CET	49762	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:27.224400997 CET	80	49762	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.224483013 CET	49762	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:27.224606037 CET	49762	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:27.229656935 CET	80	49762	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.706903934 CET	80	49762	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.707565069 CET	80	49762	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.707660913 CET	49762	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:27.707798958 CET	49762	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:27.712533951 CET	80	49762	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:27.744738102 CET	49768	445	192.168.2.5	163.149.244.119
Jan 15, 2025 14:05:27.759372950 CET	445	49768	163.149.244.119	192.168.2.5
Jan 15, 2025 14:05:27.759480953 CET	49768	445	192.168.2.5	163.149.244.119
Jan 15, 2025 14:05:27.760160923 CET	49768	445	192.168.2.5	163.149.244.119
Jan 15, 2025 14:05:27.760377884 CET	49769	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.766443968 CET	445	49769	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:27.766580105 CET	445	49768	163.149.244.119	192.168.2.5
Jan 15, 2025 14:05:27.766669989 CET	49768	445	192.168.2.5	163.149.244.119
Jan 15, 2025 14:05:27.766669989 CET	49769	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.766742945 CET	49769	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.771653891 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.771908045 CET	445	49769	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:27.773900032 CET	445	49769	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:27.773948908 CET	49769	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.776458979 CET	445	49771	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:27.777100086 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.777101040 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:27.781905890 CET	445	49771	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:28.249434948 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.254324913 CET	80	49781	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:28.254405975 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.254964113 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.259774923 CET	80	49781	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:28.728919983 CET	80	49781	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:28.728981972 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.729084015 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.730629921 CET	80	49781	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:28.730684996 CET	49781	80	192.168.2.5	104.16.167.228
Jan 15, 2025 14:05:28.733871937 CET	80	49781	104.16.167.228	192.168.2.5
Jan 15, 2025 14:05:29.748939037 CET	49804	445	192.168.2.5	31.211.10.204
Jan 15, 2025 14:05:29.753850937 CET	445	49804	31.211.10.204	192.168.2.5
Jan 15, 2025 14:05:29.753941059 CET	49804	445	192.168.2.5	31.211.10.204
Jan 15, 2025 14:05:29.754091978 CET	49804	445	192.168.2.5	31.211.10.204
Jan 15, 2025 14:05:29.754604101 CET	49805	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.758933067 CET	445	49804	31.211.10.204	192.168.2.5
Jan 15, 2025 14:05:29.758990049 CET	49804	445	192.168.2.5	31.211.10.204
Jan 15, 2025 14:05:29.759413004 CET	445	49805	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:29.759471893 CET	49805	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.759563923 CET	49805	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.760845900 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.764964104 CET	445	49805	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:29.765048027 CET	49805	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.765647888 CET	445	49806	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:29.765714884 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.765780926 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:29.770566940 CET	445	49806	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:31.764632940 CET	49846	445	192.168.2.5	191.52.146.125
Jan 15, 2025 14:05:31.769884109 CET	445	49846	191.52.146.125	192.168.2.5
Jan 15, 2025 14:05:31.769984007 CET	49846	445	192.168.2.5	191.52.146.125
Jan 15, 2025 14:05:31.770052910 CET	49846	445	192.168.2.5	191.52.146.125
Jan 15, 2025 14:05:31.770339012 CET	49847	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.775264978 CET	445	49847	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:31.775389910 CET	49847	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.775389910 CET	49847	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.775432110 CET	445	49846	191.52.146.125	192.168.2.5
Jan 15, 2025 14:05:31.775531054 CET	49846	445	192.168.2.5	191.52.146.125
Jan 15, 2025 14:05:31.776819944 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.780482054 CET	445	49847	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:31.780558109 CET	49847	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.781873941 CET	445	49848	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:31.782035112 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.782035112 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:31.787966967 CET	445	49848	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:33.550298929 CET	445	49848	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:33.550410986 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:33.550472021 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:33.550544024 CET	49848	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:33.555293083 CET	445	49848	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:33.555340052 CET	445	49848	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:33.781194925 CET	49883	445	192.168.2.5	213.39.119.211
Jan 15, 2025 14:05:33.786014080 CET	445	49883	213.39.119.211	192.168.2.5
Jan 15, 2025 14:05:33.786618948 CET	49883	445	192.168.2.5	213.39.119.211
Jan 15, 2025 14:05:33.786786079 CET	49883	445	192.168.2.5	213.39.119.211
Jan 15, 2025 14:05:33.787020922 CET	49885	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.791779041 CET	445	49883	213.39.119.211	192.168.2.5
Jan 15, 2025 14:05:33.791801929 CET	445	49885	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:33.791874886 CET	49883	445	192.168.2.5	213.39.119.211
Jan 15, 2025 14:05:33.791903973 CET	49885	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.791992903 CET	49885	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.795397043 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.796931982 CET	445	49885	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:33.797010899 CET	49885	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.800256968 CET	445	49886	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:33.800973892 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.801045895 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:33.805835962 CET	445	49886	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:35.796231985 CET	49920	445	192.168.2.5	59.126.4.227
Jan 15, 2025 14:05:35.801161051 CET	445	49920	59.126.4.227	192.168.2.5
Jan 15, 2025 14:05:35.801278114 CET	49920	445	192.168.2.5	59.126.4.227
Jan 15, 2025 14:05:35.801338911 CET	49920	445	192.168.2.5	59.126.4.227
Jan 15, 2025 14:05:35.801553011 CET	49922	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.806252003 CET	445	49920	59.126.4.227	192.168.2.5
Jan 15, 2025 14:05:35.806339025 CET	49920	445	192.168.2.5	59.126.4.227
Jan 15, 2025 14:05:35.806380033 CET	445	49922	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:35.806449890 CET	49922	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.806540012 CET	49922	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.807529926 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.811455965 CET	445	49922	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:35.811538935 CET	49922	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.813503027 CET	445	49923	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:35.813596010 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.813703060 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:35.819355011 CET	445	49923	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:36.559937000 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:36.564815998 CET	445	49935	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:36.564918041 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:36.564986944 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:36.569742918 CET	445	49935	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:37.811491966 CET	49957	445	192.168.2.5	48.181.201.46
Jan 15, 2025 14:05:37.816277981 CET	445	49957	48.181.201.46	192.168.2.5
Jan 15, 2025 14:05:37.816364050 CET	49957	445	192.168.2.5	48.181.201.46
Jan 15, 2025 14:05:37.816389084 CET	49957	445	192.168.2.5	48.181.201.46
Jan 15, 2025 14:05:37.816541910 CET	49958	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.821379900 CET	445	49957	48.181.201.46	192.168.2.5
Jan 15, 2025 14:05:37.821388960 CET	445	49958	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:37.821436882 CET	49957	445	192.168.2.5	48.181.201.46
Jan 15, 2025 14:05:37.821475029 CET	49958	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.821512938 CET	49958	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.822401047 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.826493979 CET	445	49958	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:37.826564074 CET	49958	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.827227116 CET	445	49959	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:37.827310085 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.827419996 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:37.832144022 CET	445	49959	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:38.344360113 CET	445	49935	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:38.344626904 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:38.344628096 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:38.344628096 CET	49935	445	192.168.2.5	191.52.146.1
Jan 15, 2025 14:05:38.349486113 CET	445	49935	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:38.349622011 CET	445	49935	191.52.146.1	192.168.2.5
Jan 15, 2025 14:05:38.403778076 CET	49970	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.408688068 CET	445	49970	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:38.408910990 CET	49970	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.408911943 CET	49970	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.409827948 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.414009094 CET	445	49970	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:38.414104939 CET	49970	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.414665937 CET	445	49971	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:38.414841890 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.414880991 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:38.419682980 CET	445	49971	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:39.826592922 CET	49994	445	192.168.2.5	195.114.66.75
Jan 15, 2025 14:05:39.832389116 CET	445	49994	195.114.66.75	192.168.2.5
Jan 15, 2025 14:05:39.832489014 CET	49994	445	192.168.2.5	195.114.66.75
Jan 15, 2025 14:05:39.832532883 CET	49994	445	192.168.2.5	195.114.66.75
Jan 15, 2025 14:05:39.832784891 CET	49995	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.838186026 CET	445	49994	195.114.66.75	192.168.2.5
Jan 15, 2025 14:05:39.838258982 CET	49994	445	192.168.2.5	195.114.66.75
Jan 15, 2025 14:05:39.839109898 CET	445	49995	195.114.66.1	192.168.2.5
Jan 15, 2025 14:05:39.839236975 CET	49995	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.839795113 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.839821100 CET	49995	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.845391989 CET	445	49996	195.114.66.1	192.168.2.5
Jan 15, 2025 14:05:39.845438004 CET	445	49995	195.114.66.1	192.168.2.5
Jan 15, 2025 14:05:39.845459938 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.845498085 CET	49995	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.845527887 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:05:39.850265026 CET	445	49996	195.114.66.1	192.168.2.5
Jan 15, 2025 14:05:40.189914942 CET	445	49971	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:40.190006018 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:40.190054893 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:40.190119982 CET	49971	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:40.194818020 CET	445	49971	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:40.194859028 CET	445	49971	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:41.841463089 CET	50033	445	192.168.2.5	182.175.152.21
Jan 15, 2025 14:05:41.846415043 CET	445	50033	182.175.152.21	192.168.2.5
Jan 15, 2025 14:05:41.846550941 CET	50033	445	192.168.2.5	182.175.152.21
Jan 15, 2025 14:05:41.846653938 CET	50033	445	192.168.2.5	182.175.152.21
Jan 15, 2025 14:05:41.846870899 CET	50034	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.851530075 CET	445	50033	182.175.152.21	192.168.2.5
Jan 15, 2025 14:05:41.851603031 CET	50033	445	192.168.2.5	182.175.152.21
Jan 15, 2025 14:05:41.851618052 CET	445	50034	182.175.152.1	192.168.2.5
Jan 15, 2025 14:05:41.851675987 CET	50034	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.851722956 CET	50034	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.852070093 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.856622934 CET	445	50034	182.175.152.1	192.168.2.5
Jan 15, 2025 14:05:41.856683016 CET	50034	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.856880903 CET	445	50035	182.175.152.1	192.168.2.5
Jan 15, 2025 14:05:41.856940031 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.856987953 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:05:41.861721992 CET	445	50035	182.175.152.1	192.168.2.5
Jan 15, 2025 14:05:43.200627089 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:43.205507994 CET	445	50061	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:43.205632925 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:43.205682039 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:43.210516930 CET	445	50061	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:43.857058048 CET	50071	445	192.168.2.5	97.151.157.92
Jan 15, 2025 14:05:43.861979008 CET	445	50071	97.151.157.92	192.168.2.5
Jan 15, 2025 14:05:43.862071991 CET	50071	445	192.168.2.5	97.151.157.92
Jan 15, 2025 14:05:43.862124920 CET	50071	445	192.168.2.5	97.151.157.92
Jan 15, 2025 14:05:43.862397909 CET	50072	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.867157936 CET	445	50071	97.151.157.92	192.168.2.5
Jan 15, 2025 14:05:43.867237091 CET	50071	445	192.168.2.5	97.151.157.92
Jan 15, 2025 14:05:43.867335081 CET	445	50072	97.151.157.1	192.168.2.5
Jan 15, 2025 14:05:43.867412090 CET	50072	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.867494106 CET	50072	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.867729902 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.872447014 CET	445	50072	97.151.157.1	192.168.2.5
Jan 15, 2025 14:05:43.872522116 CET	50072	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.872567892 CET	445	50073	97.151.157.1	192.168.2.5
Jan 15, 2025 14:05:43.872705936 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.872705936 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:05:43.878660917 CET	445	50073	97.151.157.1	192.168.2.5
Jan 15, 2025 14:05:44.983964920 CET	445	50061	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:44.984030008 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:44.984080076 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:44.984143019 CET	50061	445	192.168.2.5	191.52.146.2
Jan 15, 2025 14:05:44.989665031 CET	445	50061	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:44.989685059 CET	445	50061	191.52.146.2	192.168.2.5
Jan 15, 2025 14:05:45.044435024 CET	50093	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.049411058 CET	445	50093	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:45.049530029 CET	50093	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.049604893 CET	50093	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.049948931 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.054570913 CET	445	50093	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:45.054692984 CET	50093	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.054920912 CET	445	50094	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:45.054991007 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.055026054 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:45.059849024 CET	445	50094	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:45.872587919 CET	50109	445	192.168.2.5	98.93.158.75
Jan 15, 2025 14:05:45.877882957 CET	445	50109	98.93.158.75	192.168.2.5
Jan 15, 2025 14:05:45.877993107 CET	50109	445	192.168.2.5	98.93.158.75
Jan 15, 2025 14:05:45.878082991 CET	50109	445	192.168.2.5	98.93.158.75
Jan 15, 2025 14:05:45.878319979 CET	50110	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.883913994 CET	445	50110	98.93.158.1	192.168.2.5
Jan 15, 2025 14:05:45.883969069 CET	445	50109	98.93.158.75	192.168.2.5
Jan 15, 2025 14:05:45.883981943 CET	445	50109	98.93.158.75	192.168.2.5
Jan 15, 2025 14:05:45.884005070 CET	50110	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.884027004 CET	50110	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.884396076 CET	50109	445	192.168.2.5	98.93.158.75
Jan 15, 2025 14:05:45.884413004 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.888953924 CET	445	50110	98.93.158.1	192.168.2.5
Jan 15, 2025 14:05:45.889017105 CET	50110	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.889225960 CET	445	50111	98.93.158.1	192.168.2.5
Jan 15, 2025 14:05:45.889302015 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.889343023 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:05:45.894151926 CET	445	50111	98.93.158.1	192.168.2.5
Jan 15, 2025 14:05:46.831795931 CET	445	50094	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:46.831981897 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:46.832045078 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:46.832087040 CET	50094	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:46.836946011 CET	445	50094	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:46.836977005 CET	445	50094	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:47.888559103 CET	50147	445	192.168.2.5	96.157.153.205
Jan 15, 2025 14:05:47.893557072 CET	445	50147	96.157.153.205	192.168.2.5
Jan 15, 2025 14:05:47.895107031 CET	50147	445	192.168.2.5	96.157.153.205
Jan 15, 2025 14:05:47.895107031 CET	50147	445	192.168.2.5	96.157.153.205
Jan 15, 2025 14:05:47.895203114 CET	50148	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.900105000 CET	445	50148	96.157.153.1	192.168.2.5
Jan 15, 2025 14:05:47.900382042 CET	445	50147	96.157.153.205	192.168.2.5
Jan 15, 2025 14:05:47.900574923 CET	50147	445	192.168.2.5	96.157.153.205
Jan 15, 2025 14:05:47.900574923 CET	50148	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.900574923 CET	50148	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.900911093 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.905688047 CET	445	50148	96.157.153.1	192.168.2.5
Jan 15, 2025 14:05:47.905731916 CET	445	50149	96.157.153.1	192.168.2.5
Jan 15, 2025 14:05:47.905823946 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.905864000 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.905910969 CET	50148	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:05:47.910620928 CET	445	50149	96.157.153.1	192.168.2.5
Jan 15, 2025 14:05:49.172905922 CET	445	49771	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:49.172972918 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:49.173042059 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:49.173111916 CET	49771	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:49.177815914 CET	445	49771	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:49.177894115 CET	445	49771	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:49.841126919 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:49.847562075 CET	445	50184	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:49.847661018 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:49.847732067 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:49.854219913 CET	445	50184	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:49.904076099 CET	50185	445	192.168.2.5	44.53.29.147
Jan 15, 2025 14:05:49.910501003 CET	445	50185	44.53.29.147	192.168.2.5
Jan 15, 2025 14:05:49.910587072 CET	50185	445	192.168.2.5	44.53.29.147
Jan 15, 2025 14:05:49.910670996 CET	50185	445	192.168.2.5	44.53.29.147
Jan 15, 2025 14:05:49.910787106 CET	50186	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.917155981 CET	445	50186	44.53.29.1	192.168.2.5
Jan 15, 2025 14:05:49.917229891 CET	50186	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.917274952 CET	50186	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.917591095 CET	445	50185	44.53.29.147	192.168.2.5
Jan 15, 2025 14:05:49.917614937 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.917793036 CET	50185	445	192.168.2.5	44.53.29.147
Jan 15, 2025 14:05:49.923860073 CET	445	50187	44.53.29.1	192.168.2.5
Jan 15, 2025 14:05:49.923932076 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.923949957 CET	445	50186	44.53.29.1	192.168.2.5
Jan 15, 2025 14:05:49.923970938 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.924309969 CET	445	50186	44.53.29.1	192.168.2.5
Jan 15, 2025 14:05:49.924360037 CET	50186	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:05:49.928777933 CET	445	50187	44.53.29.1	192.168.2.5
Jan 15, 2025 14:05:51.153428078 CET	445	49806	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:51.153631926 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:51.153631926 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:51.153781891 CET	49806	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:51.158551931 CET	445	49806	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:51.158586979 CET	445	49806	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:51.626493931 CET	445	50184	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:51.629312992 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:51.632091045 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:51.632139921 CET	50184	445	192.168.2.5	191.52.146.3
Jan 15, 2025 14:05:51.636900902 CET	445	50184	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:51.636915922 CET	445	50184	191.52.146.3	192.168.2.5
Jan 15, 2025 14:05:51.685158014 CET	50219	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.690010071 CET	445	50219	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:51.690110922 CET	50219	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.690315008 CET	50219	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.690658092 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.695173025 CET	445	50219	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:51.695277929 CET	50219	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.695488930 CET	445	50220	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:51.695568085 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.695638895 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:51.700406075 CET	445	50220	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:51.932159901 CET	50225	445	192.168.2.5	11.170.45.231
Jan 15, 2025 14:05:51.936988115 CET	445	50225	11.170.45.231	192.168.2.5
Jan 15, 2025 14:05:51.937066078 CET	50225	445	192.168.2.5	11.170.45.231
Jan 15, 2025 14:05:51.937124968 CET	50225	445	192.168.2.5	11.170.45.231
Jan 15, 2025 14:05:51.937422991 CET	50226	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.942172050 CET	445	50225	11.170.45.231	192.168.2.5
Jan 15, 2025 14:05:51.942236900 CET	50225	445	192.168.2.5	11.170.45.231
Jan 15, 2025 14:05:51.942289114 CET	445	50226	11.170.45.1	192.168.2.5
Jan 15, 2025 14:05:51.942369938 CET	50226	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.944072962 CET	50226	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.944686890 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.948899031 CET	445	50226	11.170.45.1	192.168.2.5
Jan 15, 2025 14:05:51.948976040 CET	50226	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.949527979 CET	445	50227	11.170.45.1	192.168.2.5
Jan 15, 2025 14:05:51.949595928 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.949620008 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:05:51.954437017 CET	445	50227	11.170.45.1	192.168.2.5
Jan 15, 2025 14:05:52.185163021 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:52.190152884 CET	445	50230	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:52.190253973 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:52.190355062 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:05:52.195202112 CET	445	50230	163.149.244.1	192.168.2.5
Jan 15, 2025 14:05:53.472784996 CET	445	50220	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:53.473608971 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:53.473691940 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:53.473742962 CET	50220	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:53.478593111 CET	445	50220	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:53.478622913 CET	445	50220	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:53.935162067 CET	50244	445	192.168.2.5	117.121.16.142
Jan 15, 2025 14:05:53.940057039 CET	445	50244	117.121.16.142	192.168.2.5
Jan 15, 2025 14:05:53.940192938 CET	50244	445	192.168.2.5	117.121.16.142
Jan 15, 2025 14:05:53.940299988 CET	50244	445	192.168.2.5	117.121.16.142
Jan 15, 2025 14:05:53.940568924 CET	50245	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.945298910 CET	445	50244	117.121.16.142	192.168.2.5
Jan 15, 2025 14:05:53.945358038 CET	445	50245	117.121.16.1	192.168.2.5
Jan 15, 2025 14:05:53.945523977 CET	50244	445	192.168.2.5	117.121.16.142
Jan 15, 2025 14:05:53.945579052 CET	50245	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.945657969 CET	50245	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.946052074 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.950577974 CET	445	50245	117.121.16.1	192.168.2.5
Jan 15, 2025 14:05:53.950654030 CET	50245	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.950907946 CET	445	50246	117.121.16.1	192.168.2.5
Jan 15, 2025 14:05:53.950989008 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.951008081 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:05:53.955826998 CET	445	50246	117.121.16.1	192.168.2.5
Jan 15, 2025 14:05:54.170074940 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:54.174911022 CET	445	50248	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:54.174998045 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:54.175177097 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:05:54.180006027 CET	445	50248	31.211.10.1	192.168.2.5
Jan 15, 2025 14:05:55.204005957 CET	445	49886	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:55.204096079 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:55.204154015 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:55.204246998 CET	49886	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:55.209362984 CET	445	49886	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:55.209402084 CET	445	49886	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:55.951426983 CET	50260	445	192.168.2.5	149.250.22.15
Jan 15, 2025 14:05:55.956482887 CET	445	50260	149.250.22.15	192.168.2.5
Jan 15, 2025 14:05:55.956579924 CET	50260	445	192.168.2.5	149.250.22.15
Jan 15, 2025 14:05:55.956703901 CET	50260	445	192.168.2.5	149.250.22.15
Jan 15, 2025 14:05:55.957026958 CET	50261	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.961900949 CET	445	50260	149.250.22.15	192.168.2.5
Jan 15, 2025 14:05:55.961973906 CET	50260	445	192.168.2.5	149.250.22.15
Jan 15, 2025 14:05:55.962310076 CET	445	50261	149.250.22.1	192.168.2.5
Jan 15, 2025 14:05:55.962405920 CET	50261	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.962507963 CET	50261	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.962811947 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.967972040 CET	445	50261	149.250.22.1	192.168.2.5
Jan 15, 2025 14:05:55.968076944 CET	445	50262	149.250.22.1	192.168.2.5
Jan 15, 2025 14:05:55.968121052 CET	50261	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.968162060 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.978028059 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:05:55.983027935 CET	445	50262	149.250.22.1	192.168.2.5
Jan 15, 2025 14:05:56.481852055 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:56.486709118 CET	445	50268	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:56.486809969 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:56.486850023 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:56.491628885 CET	445	50268	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:57.190188885 CET	445	49923	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:57.190280914 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:57.190361977 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:57.190386057 CET	49923	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:05:57.196562052 CET	445	49923	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:57.196593046 CET	445	49923	59.126.4.1	192.168.2.5
Jan 15, 2025 14:05:57.966566086 CET	50278	445	192.168.2.5	166.112.213.83
Jan 15, 2025 14:05:57.972012997 CET	445	50278	166.112.213.83	192.168.2.5
Jan 15, 2025 14:05:57.972270012 CET	50278	445	192.168.2.5	166.112.213.83
Jan 15, 2025 14:05:57.972270012 CET	50278	445	192.168.2.5	166.112.213.83
Jan 15, 2025 14:05:57.972486973 CET	50279	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.977891922 CET	445	50279	166.112.213.1	192.168.2.5
Jan 15, 2025 14:05:57.977941036 CET	445	50278	166.112.213.83	192.168.2.5
Jan 15, 2025 14:05:57.977979898 CET	50279	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.978130102 CET	50279	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.978168011 CET	50278	445	192.168.2.5	166.112.213.83
Jan 15, 2025 14:05:57.978395939 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.983911991 CET	445	50280	166.112.213.1	192.168.2.5
Jan 15, 2025 14:05:57.983961105 CET	445	50279	166.112.213.1	192.168.2.5
Jan 15, 2025 14:05:57.984066963 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.984082937 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.984148026 CET	50279	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:05:57.989474058 CET	445	50280	166.112.213.1	192.168.2.5
Jan 15, 2025 14:05:58.216202021 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:58.221371889 CET	445	50282	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:58.221594095 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:58.221594095 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:05:58.227062941 CET	445	50282	213.39.119.1	192.168.2.5
Jan 15, 2025 14:05:58.255063057 CET	445	50268	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:58.255295038 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:58.255295038 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:58.255547047 CET	50268	445	192.168.2.5	191.52.146.4
Jan 15, 2025 14:05:58.260672092 CET	445	50268	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:58.260710001 CET	445	50268	191.52.146.4	192.168.2.5
Jan 15, 2025 14:05:58.310065985 CET	50283	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.315184116 CET	445	50283	191.52.146.5	192.168.2.5
Jan 15, 2025 14:05:58.315260887 CET	50283	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.315301895 CET	50283	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.315691948 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.320425987 CET	445	50283	191.52.146.5	192.168.2.5
Jan 15, 2025 14:05:58.320512056 CET	50283	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.320569992 CET	445	50285	191.52.146.5	192.168.2.5
Jan 15, 2025 14:05:58.320760012 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.320760965 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:05:58.326061964 CET	445	50285	191.52.146.5	192.168.2.5
Jan 15, 2025 14:05:59.219640970 CET	445	49959	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:59.219871044 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:59.219871044 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:59.219871044 CET	49959	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:05:59.226449966 CET	445	49959	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:59.226480007 CET	445	49959	48.181.201.1	192.168.2.5
Jan 15, 2025 14:05:59.982393026 CET	50296	445	192.168.2.5	41.215.205.230
Jan 15, 2025 14:05:59.987212896 CET	445	50296	41.215.205.230	192.168.2.5
Jan 15, 2025 14:05:59.987343073 CET	50296	445	192.168.2.5	41.215.205.230
Jan 15, 2025 14:05:59.987443924 CET	50297	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.987449884 CET	50296	445	192.168.2.5	41.215.205.230
Jan 15, 2025 14:05:59.992284060 CET	445	50297	41.215.205.1	192.168.2.5
Jan 15, 2025 14:05:59.992371082 CET	50297	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.992456913 CET	50297	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.992779970 CET	445	50296	41.215.205.230	192.168.2.5
Jan 15, 2025 14:05:59.992877960 CET	50296	445	192.168.2.5	41.215.205.230
Jan 15, 2025 14:05:59.992919922 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.997476101 CET	445	50297	41.215.205.1	192.168.2.5
Jan 15, 2025 14:05:59.997548103 CET	50297	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.997786045 CET	445	50298	41.215.205.1	192.168.2.5
Jan 15, 2025 14:05:59.997870922 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:05:59.997910976 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:00.006217003 CET	445	50298	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:00.101712942 CET	445	50285	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:00.101840973 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:00.104815960 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:00.104856968 CET	50285	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:00.109863043 CET	445	50285	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:00.109891891 CET	445	50285	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:00.202384949 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:00.208770990 CET	445	50301	59.126.4.1	192.168.2.5
Jan 15, 2025 14:06:00.208853960 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:00.208956957 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:00.213844061 CET	445	50301	59.126.4.1	192.168.2.5
Jan 15, 2025 14:06:01.231559038 CET	445	49996	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:01.231653929 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:01.231760979 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:01.231790066 CET	49996	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:01.236641884 CET	445	49996	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:01.236674070 CET	445	49996	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:01.997836113 CET	50302	445	192.168.2.5	132.154.163.112
Jan 15, 2025 14:06:02.002851009 CET	445	50302	132.154.163.112	192.168.2.5
Jan 15, 2025 14:06:02.002924919 CET	50302	445	192.168.2.5	132.154.163.112
Jan 15, 2025 14:06:02.003146887 CET	50302	445	192.168.2.5	132.154.163.112
Jan 15, 2025 14:06:02.003309965 CET	50303	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.008179903 CET	445	50303	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:02.008248091 CET	50303	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.008260965 CET	50303	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.008261919 CET	445	50302	132.154.163.112	192.168.2.5
Jan 15, 2025 14:06:02.008313894 CET	50302	445	192.168.2.5	132.154.163.112
Jan 15, 2025 14:06:02.008513927 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.013358116 CET	445	50304	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:02.013410091 CET	445	50303	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:02.013430119 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.013463020 CET	50303	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.013606071 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:02.018416882 CET	445	50304	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:02.231821060 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:02.237023115 CET	445	50305	48.181.201.1	192.168.2.5
Jan 15, 2025 14:06:02.237129927 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:02.237174988 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:02.242077112 CET	445	50305	48.181.201.1	192.168.2.5
Jan 15, 2025 14:06:03.111514091 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:03.116348028 CET	445	50306	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:03.116442919 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:03.116467953 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:03.121305943 CET	445	50306	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:03.247195005 CET	445	50035	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:03.247273922 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:03.277062893 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:03.277203083 CET	50035	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:03.281984091 CET	445	50035	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:03.282027960 CET	445	50035	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:03.872874022 CET	50307	445	192.168.2.5	90.146.13.201
Jan 15, 2025 14:06:03.878010988 CET	445	50307	90.146.13.201	192.168.2.5
Jan 15, 2025 14:06:03.878271103 CET	50307	445	192.168.2.5	90.146.13.201
Jan 15, 2025 14:06:03.878272057 CET	50307	445	192.168.2.5	90.146.13.201
Jan 15, 2025 14:06:03.878333092 CET	50308	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.883291006 CET	445	50308	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:03.883359909 CET	50308	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.883433104 CET	50308	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.883523941 CET	445	50307	90.146.13.201	192.168.2.5
Jan 15, 2025 14:06:03.883594990 CET	50307	445	192.168.2.5	90.146.13.201
Jan 15, 2025 14:06:03.883781910 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.888509035 CET	445	50308	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:03.888537884 CET	445	50309	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:03.888561010 CET	50308	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.888605118 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.888653994 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:03.893424988 CET	445	50309	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:04.247314930 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:04.252163887 CET	445	50310	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:04.252248049 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:04.252283096 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:04.257067919 CET	445	50310	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:04.913012028 CET	445	50306	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:04.913203001 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:04.913203001 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:04.913283110 CET	50306	445	192.168.2.5	191.52.146.5
Jan 15, 2025 14:06:04.918164015 CET	445	50306	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:04.918209076 CET	445	50306	191.52.146.5	192.168.2.5
Jan 15, 2025 14:06:04.966746092 CET	50311	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.971731901 CET	445	50311	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:04.971844912 CET	50311	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.971844912 CET	50311	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.973258972 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.977140903 CET	445	50311	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:04.977252007 CET	50311	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.978121042 CET	445	50312	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:04.978190899 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.978218079 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:04.983040094 CET	445	50312	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:05.248944998 CET	445	50073	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:05.249061108 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:05.249125004 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:05.249125004 CET	50073	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:05.254002094 CET	445	50073	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:05.254018068 CET	445	50073	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:05.622740030 CET	50313	445	192.168.2.5	126.66.235.62
Jan 15, 2025 14:06:05.627736092 CET	445	50313	126.66.235.62	192.168.2.5
Jan 15, 2025 14:06:05.627857924 CET	50313	445	192.168.2.5	126.66.235.62
Jan 15, 2025 14:06:05.627857924 CET	50313	445	192.168.2.5	126.66.235.62
Jan 15, 2025 14:06:05.630935907 CET	50314	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.633131027 CET	445	50313	126.66.235.62	192.168.2.5
Jan 15, 2025 14:06:05.634932995 CET	50313	445	192.168.2.5	126.66.235.62
Jan 15, 2025 14:06:05.635806084 CET	445	50314	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:05.635919094 CET	50314	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.635919094 CET	50314	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.636373997 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.641103983 CET	445	50314	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:05.641246080 CET	445	50315	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:05.641359091 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.641359091 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.642935991 CET	50314	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:05.646261930 CET	445	50315	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:06.283953905 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:06.291030884 CET	445	50316	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:06.291110039 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:06.293770075 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:06.300028086 CET	445	50316	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:06.737736940 CET	445	50312	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:06.737833023 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:06.737883091 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:06.737974882 CET	50312	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:06.742973089 CET	445	50312	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:06.742995024 CET	445	50312	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:07.248006105 CET	445	50111	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:07.248172998 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:07.248172998 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:07.248217106 CET	50111	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:07.253019094 CET	445	50111	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:07.253035069 CET	445	50111	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:07.263418913 CET	50317	445	192.168.2.5	24.121.53.247
Jan 15, 2025 14:06:07.268414021 CET	445	50317	24.121.53.247	192.168.2.5
Jan 15, 2025 14:06:07.268501997 CET	50317	445	192.168.2.5	24.121.53.247
Jan 15, 2025 14:06:07.268532991 CET	50317	445	192.168.2.5	24.121.53.247
Jan 15, 2025 14:06:07.268661976 CET	50318	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.273564100 CET	445	50318	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:07.273612022 CET	445	50317	24.121.53.247	192.168.2.5
Jan 15, 2025 14:06:07.273674965 CET	50317	445	192.168.2.5	24.121.53.247
Jan 15, 2025 14:06:07.273782969 CET	50318	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.273783922 CET	50318	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.274163008 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.279146910 CET	445	50318	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:07.279170036 CET	445	50319	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:07.279236078 CET	50318	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.279261112 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.279330969 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:07.284347057 CET	445	50319	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:08.263101101 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:08.268019915 CET	445	50321	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:08.268090963 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:08.268141985 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:08.272994041 CET	445	50321	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:08.794532061 CET	50322	445	192.168.2.5	192.201.193.167
Jan 15, 2025 14:06:08.799335957 CET	445	50322	192.201.193.167	192.168.2.5
Jan 15, 2025 14:06:08.799426079 CET	50322	445	192.168.2.5	192.201.193.167
Jan 15, 2025 14:06:08.799631119 CET	50323	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.799664021 CET	50322	445	192.168.2.5	192.201.193.167
Jan 15, 2025 14:06:08.804532051 CET	445	50323	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:08.804546118 CET	445	50322	192.201.193.167	192.168.2.5
Jan 15, 2025 14:06:08.804639101 CET	50322	445	192.168.2.5	192.201.193.167
Jan 15, 2025 14:06:08.804647923 CET	50323	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.804763079 CET	50323	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.805011034 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.810015917 CET	445	50323	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:08.810031891 CET	445	50324	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:08.810082912 CET	50323	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.810095072 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.810142040 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:08.814928055 CET	445	50324	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:09.298237085 CET	445	50149	96.157.153.1	192.168.2.5
Jan 15, 2025 14:06:09.298325062 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:09.308578014 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:09.308615923 CET	50149	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:09.313474894 CET	445	50149	96.157.153.1	192.168.2.5
Jan 15, 2025 14:06:09.313488960 CET	445	50149	96.157.153.1	192.168.2.5
Jan 15, 2025 14:06:09.747391939 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:09.752285957 CET	445	50325	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:09.752403021 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:09.752476931 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:09.757227898 CET	445	50325	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:10.216852903 CET	50326	445	192.168.2.5	95.45.80.222
Jan 15, 2025 14:06:10.221713066 CET	445	50326	95.45.80.222	192.168.2.5
Jan 15, 2025 14:06:10.221787930 CET	50326	445	192.168.2.5	95.45.80.222
Jan 15, 2025 14:06:10.221940041 CET	50326	445	192.168.2.5	95.45.80.222
Jan 15, 2025 14:06:10.222035885 CET	50327	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.227138996 CET	445	50326	95.45.80.222	192.168.2.5
Jan 15, 2025 14:06:10.227215052 CET	50326	445	192.168.2.5	95.45.80.222
Jan 15, 2025 14:06:10.227283001 CET	445	50327	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:10.227360964 CET	50327	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.227457047 CET	50327	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.227758884 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.232920885 CET	445	50327	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:10.232939005 CET	445	50328	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:10.233037949 CET	50327	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.233050108 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.233051062 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:10.238238096 CET	445	50328	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:10.262953043 CET	50329	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:10.267843008 CET	445	50329	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:10.267920017 CET	50329	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:10.267986059 CET	50329	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:10.272910118 CET	445	50329	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:11.278559923 CET	445	50187	44.53.29.1	192.168.2.5
Jan 15, 2025 14:06:11.278665066 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:11.278732061 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:11.278758049 CET	50187	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:11.283582926 CET	445	50187	44.53.29.1	192.168.2.5
Jan 15, 2025 14:06:11.283649921 CET	445	50187	44.53.29.1	192.168.2.5
Jan 15, 2025 14:06:11.519016027 CET	445	50325	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:11.519232988 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:11.519232988 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:11.519284010 CET	50325	445	192.168.2.5	191.52.146.6
Jan 15, 2025 14:06:11.524208069 CET	445	50325	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:11.524238110 CET	445	50325	191.52.146.6	192.168.2.5
Jan 15, 2025 14:06:11.544485092 CET	50330	445	192.168.2.5	64.111.49.197
Jan 15, 2025 14:06:11.549854040 CET	445	50330	64.111.49.197	192.168.2.5
Jan 15, 2025 14:06:11.549947023 CET	50330	445	192.168.2.5	64.111.49.197
Jan 15, 2025 14:06:11.550005913 CET	50330	445	192.168.2.5	64.111.49.197
Jan 15, 2025 14:06:11.550097942 CET	50331	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.554990053 CET	445	50331	64.111.49.1	192.168.2.5
Jan 15, 2025 14:06:11.555057049 CET	50331	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.555083990 CET	445	50330	64.111.49.197	192.168.2.5
Jan 15, 2025 14:06:11.555083990 CET	50331	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.555139065 CET	50330	445	192.168.2.5	64.111.49.197
Jan 15, 2025 14:06:11.555341005 CET	50332	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.559923887 CET	445	50331	64.111.49.1	192.168.2.5
Jan 15, 2025 14:06:11.560082912 CET	445	50331	64.111.49.1	192.168.2.5
Jan 15, 2025 14:06:11.560138941 CET	50331	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.560195923 CET	445	50332	64.111.49.1	192.168.2.5
Jan 15, 2025 14:06:11.560259104 CET	50332	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.560970068 CET	50332	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:11.565855026 CET	445	50332	64.111.49.1	192.168.2.5
Jan 15, 2025 14:06:11.601366997 CET	50333	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.606326103 CET	445	50333	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:11.606543064 CET	50333	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.606664896 CET	50333	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.607088089 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.611624956 CET	445	50333	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:11.611704111 CET	50333	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.612061024 CET	445	50334	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:11.612142086 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.667759895 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:11.672806025 CET	445	50334	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:11.861851931 CET	445	50328	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:11.862090111 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:11.862178087 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:11.862202883 CET	50328	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:11.867197037 CET	445	50328	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:11.867217064 CET	445	50328	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:12.309901953 CET	50335	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:12.314765930 CET	445	50335	96.157.153.1	192.168.2.5
Jan 15, 2025 14:06:12.314857006 CET	50335	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:12.314888000 CET	50335	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:12.319675922 CET	445	50335	96.157.153.1	192.168.2.5
Jan 15, 2025 14:06:12.778991938 CET	50336	445	192.168.2.5	85.81.219.106
Jan 15, 2025 14:06:12.783976078 CET	445	50336	85.81.219.106	192.168.2.5
Jan 15, 2025 14:06:12.784123898 CET	50336	445	192.168.2.5	85.81.219.106
Jan 15, 2025 14:06:12.784171104 CET	50336	445	192.168.2.5	85.81.219.106
Jan 15, 2025 14:06:12.784260035 CET	50337	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.789232969 CET	445	50337	85.81.219.1	192.168.2.5
Jan 15, 2025 14:06:12.789632082 CET	445	50336	85.81.219.106	192.168.2.5
Jan 15, 2025 14:06:12.789710999 CET	50336	445	192.168.2.5	85.81.219.106
Jan 15, 2025 14:06:12.790029049 CET	50337	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.790045023 CET	50338	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.795111895 CET	445	50338	85.81.219.1	192.168.2.5
Jan 15, 2025 14:06:12.795804977 CET	445	50337	85.81.219.1	192.168.2.5
Jan 15, 2025 14:06:12.795888901 CET	50337	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.795918941 CET	50338	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.795974970 CET	50338	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:12.801045895 CET	445	50338	85.81.219.1	192.168.2.5
Jan 15, 2025 14:06:13.325433016 CET	445	50227	11.170.45.1	192.168.2.5
Jan 15, 2025 14:06:13.325560093 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:13.325689077 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:13.325689077 CET	50227	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:13.330634117 CET	445	50227	11.170.45.1	192.168.2.5
Jan 15, 2025 14:06:13.330677986 CET	445	50227	11.170.45.1	192.168.2.5
Jan 15, 2025 14:06:13.400187969 CET	445	50334	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:13.400281906 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:13.400335073 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:13.400372028 CET	50334	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:13.405291080 CET	445	50334	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:13.405319929 CET	445	50334	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:13.596868992 CET	445	50230	163.149.244.1	192.168.2.5
Jan 15, 2025 14:06:13.597090960 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:06:13.597090960 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:06:13.597145081 CET	50230	445	192.168.2.5	163.149.244.1
Jan 15, 2025 14:06:13.602319002 CET	445	50230	163.149.244.1	192.168.2.5
Jan 15, 2025 14:06:13.602360964 CET	445	50230	163.149.244.1	192.168.2.5
Jan 15, 2025 14:06:13.653867006 CET	50339	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.659040928 CET	445	50339	163.149.244.2	192.168.2.5
Jan 15, 2025 14:06:13.659264088 CET	50339	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.659264088 CET	50339	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.659599066 CET	50340	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.664462090 CET	445	50340	163.149.244.2	192.168.2.5
Jan 15, 2025 14:06:13.664520025 CET	445	50339	163.149.244.2	192.168.2.5
Jan 15, 2025 14:06:13.664550066 CET	50340	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.664578915 CET	50339	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.664581060 CET	50340	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:13.669425011 CET	445	50340	163.149.244.2	192.168.2.5
Jan 15, 2025 14:06:13.935425997 CET	50341	445	192.168.2.5	130.222.120.126
Jan 15, 2025 14:06:13.940654993 CET	445	50341	130.222.120.126	192.168.2.5
Jan 15, 2025 14:06:13.941036940 CET	50341	445	192.168.2.5	130.222.120.126
Jan 15, 2025 14:06:13.941036940 CET	50341	445	192.168.2.5	130.222.120.126
Jan 15, 2025 14:06:13.941098928 CET	50342	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.946022034 CET	445	50342	130.222.120.1	192.168.2.5
Jan 15, 2025 14:06:13.946090937 CET	50342	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.946111917 CET	50342	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.946125031 CET	445	50341	130.222.120.126	192.168.2.5
Jan 15, 2025 14:06:13.946269989 CET	50341	445	192.168.2.5	130.222.120.126
Jan 15, 2025 14:06:13.946562052 CET	50343	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.951416016 CET	445	50342	130.222.120.1	192.168.2.5
Jan 15, 2025 14:06:13.951494932 CET	50342	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.951654911 CET	445	50343	130.222.120.1	192.168.2.5
Jan 15, 2025 14:06:13.951838970 CET	50343	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.951839924 CET	50343	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:13.956819057 CET	445	50343	130.222.120.1	192.168.2.5
Jan 15, 2025 14:06:14.294354916 CET	50344	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:14.300687075 CET	445	50344	44.53.29.1	192.168.2.5
Jan 15, 2025 14:06:14.300820112 CET	50344	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:14.300863981 CET	50344	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:14.307231903 CET	445	50344	44.53.29.1	192.168.2.5
Jan 15, 2025 14:06:14.872410059 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:14.877197027 CET	445	50345	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:14.877307892 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:14.877473116 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:14.882262945 CET	445	50345	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:15.013807058 CET	50346	445	192.168.2.5	16.194.92.48
Jan 15, 2025 14:06:15.018718958 CET	445	50346	16.194.92.48	192.168.2.5
Jan 15, 2025 14:06:15.018799067 CET	50346	445	192.168.2.5	16.194.92.48
Jan 15, 2025 14:06:15.018838882 CET	50346	445	192.168.2.5	16.194.92.48
Jan 15, 2025 14:06:15.018990040 CET	50347	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.024012089 CET	445	50347	16.194.92.1	192.168.2.5
Jan 15, 2025 14:06:15.024055004 CET	445	50346	16.194.92.48	192.168.2.5
Jan 15, 2025 14:06:15.024077892 CET	50347	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.024115086 CET	50346	445	192.168.2.5	16.194.92.48
Jan 15, 2025 14:06:15.024192095 CET	50347	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.024476051 CET	50348	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.029294968 CET	445	50347	16.194.92.1	192.168.2.5
Jan 15, 2025 14:06:15.029375076 CET	50347	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.029408932 CET	445	50348	16.194.92.1	192.168.2.5
Jan 15, 2025 14:06:15.029481888 CET	50348	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.029536963 CET	50348	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:15.034382105 CET	445	50348	16.194.92.1	192.168.2.5
Jan 15, 2025 14:06:15.310697079 CET	445	50246	117.121.16.1	192.168.2.5
Jan 15, 2025 14:06:15.310818911 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:15.310858965 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:15.310904026 CET	50246	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:15.315701008 CET	445	50246	117.121.16.1	192.168.2.5
Jan 15, 2025 14:06:15.315712929 CET	445	50246	117.121.16.1	192.168.2.5
Jan 15, 2025 14:06:15.591664076 CET	445	50248	31.211.10.1	192.168.2.5
Jan 15, 2025 14:06:15.591733932 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:06:15.591775894 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:06:15.591835976 CET	50248	445	192.168.2.5	31.211.10.1
Jan 15, 2025 14:06:15.596530914 CET	445	50248	31.211.10.1	192.168.2.5
Jan 15, 2025 14:06:15.596579075 CET	445	50248	31.211.10.1	192.168.2.5
Jan 15, 2025 14:06:15.654042959 CET	50349	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.658895016 CET	445	50349	31.211.10.2	192.168.2.5
Jan 15, 2025 14:06:15.658987045 CET	50349	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.659049034 CET	50349	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.659409046 CET	50350	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.665606022 CET	445	50349	31.211.10.2	192.168.2.5
Jan 15, 2025 14:06:15.665666103 CET	50349	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.666100979 CET	445	50350	31.211.10.2	192.168.2.5
Jan 15, 2025 14:06:15.666155100 CET	50350	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.666183949 CET	50350	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:15.673207998 CET	445	50350	31.211.10.2	192.168.2.5
Jan 15, 2025 14:06:16.029340029 CET	50351	445	192.168.2.5	73.167.67.82
Jan 15, 2025 14:06:16.034178972 CET	445	50351	73.167.67.82	192.168.2.5
Jan 15, 2025 14:06:16.034275055 CET	50351	445	192.168.2.5	73.167.67.82
Jan 15, 2025 14:06:16.037209034 CET	50351	445	192.168.2.5	73.167.67.82
Jan 15, 2025 14:06:16.037650108 CET	50352	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.042049885 CET	445	50351	73.167.67.82	192.168.2.5
Jan 15, 2025 14:06:16.042108059 CET	50351	445	192.168.2.5	73.167.67.82
Jan 15, 2025 14:06:16.042486906 CET	445	50352	73.167.67.1	192.168.2.5
Jan 15, 2025 14:06:16.042795897 CET	50352	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.042795897 CET	50352	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.043140888 CET	50353	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.047938108 CET	445	50352	73.167.67.1	192.168.2.5
Jan 15, 2025 14:06:16.048007965 CET	445	50353	73.167.67.1	192.168.2.5
Jan 15, 2025 14:06:16.048046112 CET	50352	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.048079014 CET	50353	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.048126936 CET	50353	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:16.053000927 CET	445	50353	73.167.67.1	192.168.2.5
Jan 15, 2025 14:06:16.341147900 CET	50354	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:16.345973969 CET	445	50354	11.170.45.1	192.168.2.5
Jan 15, 2025 14:06:16.346174955 CET	50354	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:16.346174955 CET	50354	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:16.350955009 CET	445	50354	11.170.45.1	192.168.2.5
Jan 15, 2025 14:06:16.403758049 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:16.408550978 CET	445	50355	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:16.409003973 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:16.409003973 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:16.413867950 CET	445	50355	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:16.501919031 CET	445	50345	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:16.502052069 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:16.502096891 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:16.502131939 CET	50345	445	192.168.2.5	95.45.80.1
Jan 15, 2025 14:06:16.508034945 CET	445	50345	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:16.508049011 CET	445	50345	95.45.80.1	192.168.2.5
Jan 15, 2025 14:06:16.559976101 CET	50356	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.564800024 CET	445	50356	95.45.80.2	192.168.2.5
Jan 15, 2025 14:06:16.564908981 CET	50356	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.564932108 CET	50356	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.565449953 CET	50357	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.570008993 CET	445	50356	95.45.80.2	192.168.2.5
Jan 15, 2025 14:06:16.570070982 CET	50356	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.570274115 CET	445	50357	95.45.80.2	192.168.2.5
Jan 15, 2025 14:06:16.570384979 CET	50357	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.570384979 CET	50357	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:16.575172901 CET	445	50357	95.45.80.2	192.168.2.5
Jan 15, 2025 14:06:16.966474056 CET	50358	445	192.168.2.5	122.150.85.142
Jan 15, 2025 14:06:16.971573114 CET	445	50358	122.150.85.142	192.168.2.5
Jan 15, 2025 14:06:16.971668959 CET	50358	445	192.168.2.5	122.150.85.142
Jan 15, 2025 14:06:16.971729040 CET	50358	445	192.168.2.5	122.150.85.142
Jan 15, 2025 14:06:16.972014904 CET	50359	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.976671934 CET	445	50358	122.150.85.142	192.168.2.5
Jan 15, 2025 14:06:16.976746082 CET	50358	445	192.168.2.5	122.150.85.142
Jan 15, 2025 14:06:16.976833105 CET	445	50359	122.150.85.1	192.168.2.5
Jan 15, 2025 14:06:16.976947069 CET	50359	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.976947069 CET	50359	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.977334976 CET	50360	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.981930017 CET	445	50359	122.150.85.1	192.168.2.5
Jan 15, 2025 14:06:16.982001066 CET	50359	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.982268095 CET	445	50360	122.150.85.1	192.168.2.5
Jan 15, 2025 14:06:16.982347012 CET	50360	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.982389927 CET	50360	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:16.987129927 CET	445	50360	122.150.85.1	192.168.2.5
Jan 15, 2025 14:06:17.387739897 CET	445	50262	149.250.22.1	192.168.2.5
Jan 15, 2025 14:06:17.387865067 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:17.387938976 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:17.387989998 CET	50262	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:17.392755032 CET	445	50262	149.250.22.1	192.168.2.5
Jan 15, 2025 14:06:17.392862082 CET	445	50262	149.250.22.1	192.168.2.5
Jan 15, 2025 14:06:17.841445923 CET	50361	445	192.168.2.5	191.65.111.209
Jan 15, 2025 14:06:17.846285105 CET	445	50361	191.65.111.209	192.168.2.5
Jan 15, 2025 14:06:17.846352100 CET	50361	445	192.168.2.5	191.65.111.209
Jan 15, 2025 14:06:17.846371889 CET	50361	445	192.168.2.5	191.65.111.209
Jan 15, 2025 14:06:17.846577883 CET	50362	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.851380110 CET	445	50362	191.65.111.1	192.168.2.5
Jan 15, 2025 14:06:17.851480007 CET	50362	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.851562977 CET	50362	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.851663113 CET	445	50361	191.65.111.209	192.168.2.5
Jan 15, 2025 14:06:17.851715088 CET	50361	445	192.168.2.5	191.65.111.209
Jan 15, 2025 14:06:17.852020025 CET	50363	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.856575012 CET	445	50362	191.65.111.1	192.168.2.5
Jan 15, 2025 14:06:17.856652021 CET	50362	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.856858969 CET	445	50363	191.65.111.1	192.168.2.5
Jan 15, 2025 14:06:17.856919050 CET	50363	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.856951952 CET	50363	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:17.861690044 CET	445	50363	191.65.111.1	192.168.2.5
Jan 15, 2025 14:06:18.178324938 CET	445	50355	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:18.178508997 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:18.178508997 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:18.178508997 CET	50355	445	192.168.2.5	191.52.146.7
Jan 15, 2025 14:06:18.184957981 CET	445	50355	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:18.184972048 CET	445	50355	191.52.146.7	192.168.2.5
Jan 15, 2025 14:06:18.231987000 CET	50364	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.236803055 CET	445	50364	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:18.236891985 CET	50364	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.236996889 CET	50364	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.237410069 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.241976976 CET	445	50364	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:18.242047071 CET	50364	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.242167950 CET	445	50365	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:18.242234945 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.242275953 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:18.247029066 CET	445	50365	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:18.325540066 CET	50366	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:18.330367088 CET	445	50366	117.121.16.1	192.168.2.5
Jan 15, 2025 14:06:18.330456972 CET	50366	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:18.330497980 CET	50366	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:18.335277081 CET	445	50366	117.121.16.1	192.168.2.5
Jan 15, 2025 14:06:18.669539928 CET	50367	445	192.168.2.5	209.154.74.118
Jan 15, 2025 14:06:18.674424887 CET	445	50367	209.154.74.118	192.168.2.5
Jan 15, 2025 14:06:18.674535036 CET	50367	445	192.168.2.5	209.154.74.118
Jan 15, 2025 14:06:18.674549103 CET	50367	445	192.168.2.5	209.154.74.118
Jan 15, 2025 14:06:18.674684048 CET	50368	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.679450989 CET	445	50368	209.154.74.1	192.168.2.5
Jan 15, 2025 14:06:18.679527044 CET	50368	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.679554939 CET	445	50367	209.154.74.118	192.168.2.5
Jan 15, 2025 14:06:18.679573059 CET	50368	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.679600954 CET	50367	445	192.168.2.5	209.154.74.118
Jan 15, 2025 14:06:18.679990053 CET	50369	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.684483051 CET	445	50368	209.154.74.1	192.168.2.5
Jan 15, 2025 14:06:18.684541941 CET	50368	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.684815884 CET	445	50369	209.154.74.1	192.168.2.5
Jan 15, 2025 14:06:18.684900999 CET	50369	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.684900999 CET	50369	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:18.689697981 CET	445	50369	209.154.74.1	192.168.2.5
Jan 15, 2025 14:06:19.358398914 CET	445	50280	166.112.213.1	192.168.2.5
Jan 15, 2025 14:06:19.358536959 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:19.358628035 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:19.358956099 CET	50280	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:19.363358021 CET	445	50280	166.112.213.1	192.168.2.5
Jan 15, 2025 14:06:19.363687992 CET	445	50280	166.112.213.1	192.168.2.5
Jan 15, 2025 14:06:19.435565948 CET	50370	445	192.168.2.5	13.84.89.139
Jan 15, 2025 14:06:19.440423012 CET	445	50370	13.84.89.139	192.168.2.5
Jan 15, 2025 14:06:19.440524101 CET	50370	445	192.168.2.5	13.84.89.139
Jan 15, 2025 14:06:19.440565109 CET	50370	445	192.168.2.5	13.84.89.139
Jan 15, 2025 14:06:19.440808058 CET	50371	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.445513010 CET	445	50370	13.84.89.139	192.168.2.5
Jan 15, 2025 14:06:19.445580959 CET	50370	445	192.168.2.5	13.84.89.139
Jan 15, 2025 14:06:19.445627928 CET	445	50371	13.84.89.1	192.168.2.5
Jan 15, 2025 14:06:19.445699930 CET	50371	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.445785999 CET	50371	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.446084976 CET	50372	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.450707912 CET	445	50371	13.84.89.1	192.168.2.5
Jan 15, 2025 14:06:19.450773954 CET	50371	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.450875044 CET	445	50372	13.84.89.1	192.168.2.5
Jan 15, 2025 14:06:19.451060057 CET	50372	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.451060057 CET	50372	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:19.455830097 CET	445	50372	13.84.89.1	192.168.2.5
Jan 15, 2025 14:06:19.595448971 CET	445	50282	213.39.119.1	192.168.2.5
Jan 15, 2025 14:06:19.595535994 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:06:19.595618010 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:06:19.595706940 CET	50282	445	192.168.2.5	213.39.119.1
Jan 15, 2025 14:06:19.600378036 CET	445	50282	213.39.119.1	192.168.2.5
Jan 15, 2025 14:06:19.600467920 CET	445	50282	213.39.119.1	192.168.2.5
Jan 15, 2025 14:06:19.653853893 CET	50373	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.658778906 CET	445	50373	213.39.119.2	192.168.2.5
Jan 15, 2025 14:06:19.658859968 CET	50373	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.658901930 CET	50373	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.659210920 CET	50374	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.663901091 CET	445	50373	213.39.119.2	192.168.2.5
Jan 15, 2025 14:06:19.663949013 CET	445	50373	213.39.119.2	192.168.2.5
Jan 15, 2025 14:06:19.663973093 CET	445	50374	213.39.119.2	192.168.2.5
Jan 15, 2025 14:06:19.664000034 CET	50373	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.664032936 CET	50374	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.664067030 CET	50374	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:19.668936014 CET	445	50374	213.39.119.2	192.168.2.5
Jan 15, 2025 14:06:20.016956091 CET	445	50365	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:20.017116070 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:20.017184973 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:20.017184973 CET	50365	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:20.021967888 CET	445	50365	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:20.021991968 CET	445	50365	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:20.403846025 CET	50376	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:20.408643007 CET	445	50376	149.250.22.1	192.168.2.5
Jan 15, 2025 14:06:20.408719063 CET	50376	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:20.408747911 CET	50376	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:20.413487911 CET	445	50376	149.250.22.1	192.168.2.5
Jan 15, 2025 14:06:21.393652916 CET	445	50298	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:21.393769979 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:21.393863916 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:21.393928051 CET	50298	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:21.398637056 CET	445	50298	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:21.398654938 CET	445	50298	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:21.579724073 CET	445	50301	59.126.4.1	192.168.2.5
Jan 15, 2025 14:06:21.579794884 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:21.579868078 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:21.579935074 CET	50301	445	192.168.2.5	59.126.4.1
Jan 15, 2025 14:06:21.584623098 CET	445	50301	59.126.4.1	192.168.2.5
Jan 15, 2025 14:06:21.584665060 CET	445	50301	59.126.4.1	192.168.2.5
Jan 15, 2025 14:06:21.638148069 CET	50380	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.642987967 CET	445	50380	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:21.643064976 CET	50380	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.643141985 CET	50380	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.643604040 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.648143053 CET	445	50380	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:21.648205042 CET	50380	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.648433924 CET	445	50381	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:21.648492098 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.648540974 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:21.653299093 CET	445	50381	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:22.372416973 CET	50384	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:22.378916025 CET	445	50384	166.112.213.1	192.168.2.5
Jan 15, 2025 14:06:22.381300926 CET	50384	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:22.381300926 CET	50384	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:22.387679100 CET	445	50384	166.112.213.1	192.168.2.5
Jan 15, 2025 14:06:23.028888941 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:23.033740997 CET	445	50388	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:23.033881903 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:23.033993959 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:23.038743973 CET	445	50388	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:23.405603886 CET	445	50304	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:23.405728102 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:23.409286976 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:23.409356117 CET	50304	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:23.414074898 CET	445	50304	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:23.414099932 CET	445	50304	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:23.622524023 CET	445	50305	48.181.201.1	192.168.2.5
Jan 15, 2025 14:06:23.622631073 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:23.646291018 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:23.646373987 CET	50305	445	192.168.2.5	48.181.201.1
Jan 15, 2025 14:06:23.651065111 CET	445	50305	48.181.201.1	192.168.2.5
Jan 15, 2025 14:06:23.651107073 CET	445	50305	48.181.201.1	192.168.2.5
Jan 15, 2025 14:06:23.717642069 CET	445	50381	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:23.717719078 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:23.717809916 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:23.717854977 CET	50381	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:23.722630024 CET	445	50381	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:23.722650051 CET	445	50381	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:23.728367090 CET	50396	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.733122110 CET	445	50396	48.181.201.2	192.168.2.5
Jan 15, 2025 14:06:23.733194113 CET	50396	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.733266115 CET	50396	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.738163948 CET	445	50396	48.181.201.2	192.168.2.5
Jan 15, 2025 14:06:23.738219976 CET	50396	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.748965025 CET	50397	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.753830910 CET	445	50397	48.181.201.2	192.168.2.5
Jan 15, 2025 14:06:23.753906965 CET	50397	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.753969908 CET	50397	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:23.758730888 CET	445	50397	48.181.201.2	192.168.2.5
Jan 15, 2025 14:06:24.403748035 CET	50402	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:24.408643007 CET	445	50402	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:24.408740997 CET	50402	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:24.408809900 CET	50402	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:24.413583994 CET	445	50402	41.215.205.1	192.168.2.5
Jan 15, 2025 14:06:24.800292015 CET	445	50388	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:24.800826073 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:24.800826073 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:24.800826073 CET	50388	445	192.168.2.5	191.52.146.8
Jan 15, 2025 14:06:24.805807114 CET	445	50388	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:24.805820942 CET	445	50388	191.52.146.8	192.168.2.5
Jan 15, 2025 14:06:24.856817007 CET	50409	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.861707926 CET	445	50409	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:24.861814022 CET	50409	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.861871958 CET	50409	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.862338066 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.867213011 CET	445	50409	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:24.867300034 CET	50409	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.867633104 CET	445	50410	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:24.867695093 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.867826939 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:24.872548103 CET	445	50410	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:25.247070074 CET	445	50309	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:25.247173071 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:25.247209072 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:25.247306108 CET	50309	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:25.252084970 CET	445	50309	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:25.252098083 CET	445	50309	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:25.622488022 CET	445	50310	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:25.622570038 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:25.622612000 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:25.622654915 CET	50310	445	192.168.2.5	195.114.66.1
Jan 15, 2025 14:06:25.627511978 CET	445	50310	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:25.627522945 CET	445	50310	195.114.66.1	192.168.2.5
Jan 15, 2025 14:06:25.685142040 CET	50418	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.689974070 CET	445	50418	195.114.66.2	192.168.2.5
Jan 15, 2025 14:06:25.690104961 CET	50418	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.693960905 CET	50418	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.694339991 CET	50419	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.698765993 CET	445	50418	195.114.66.2	192.168.2.5
Jan 15, 2025 14:06:25.698833942 CET	50418	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.699141979 CET	445	50419	195.114.66.2	192.168.2.5
Jan 15, 2025 14:06:25.699212074 CET	50419	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.699249983 CET	50419	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:25.704018116 CET	445	50419	195.114.66.2	192.168.2.5
Jan 15, 2025 14:06:26.419266939 CET	50429	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:26.424151897 CET	445	50429	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:26.424263000 CET	50429	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:26.424303055 CET	50429	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:26.429155111 CET	445	50429	132.154.163.1	192.168.2.5
Jan 15, 2025 14:06:26.630073071 CET	445	50410	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:26.630197048 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:26.630228996 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:26.630297899 CET	50410	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:26.635062933 CET	445	50410	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:26.635094881 CET	445	50410	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:26.731693983 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:26.736507893 CET	445	50437	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:26.736607075 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:26.736630917 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:26.741482973 CET	445	50437	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:27.017024994 CET	445	50315	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:27.017169952 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:27.017249107 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:27.017292976 CET	50315	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:27.022185087 CET	445	50315	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:27.022213936 CET	445	50315	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:27.690804005 CET	445	50316	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:27.690886021 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:27.690937996 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:27.690968037 CET	50316	445	192.168.2.5	182.175.152.1
Jan 15, 2025 14:06:27.695844889 CET	445	50316	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:27.695878029 CET	445	50316	182.175.152.1	192.168.2.5
Jan 15, 2025 14:06:27.747440100 CET	50455	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.752314091 CET	445	50455	182.175.152.2	192.168.2.5
Jan 15, 2025 14:06:27.752424955 CET	50455	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.757330894 CET	50455	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.757697105 CET	50456	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.762239933 CET	445	50455	182.175.152.2	192.168.2.5
Jan 15, 2025 14:06:27.762439966 CET	50455	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.762523890 CET	445	50456	182.175.152.2	192.168.2.5
Jan 15, 2025 14:06:27.762602091 CET	50456	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.762651920 CET	50456	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:27.767659903 CET	445	50456	182.175.152.2	192.168.2.5
Jan 15, 2025 14:06:28.263205051 CET	50470	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:28.268153906 CET	445	50470	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:28.268277884 CET	50470	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:28.268326044 CET	50470	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:28.273106098 CET	445	50470	90.146.13.1	192.168.2.5
Jan 15, 2025 14:06:28.689059973 CET	445	50319	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:28.689301968 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:28.689301968 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:28.689301968 CET	50319	445	192.168.2.5	24.121.53.1
Jan 15, 2025 14:06:28.694149971 CET	445	50319	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:28.694164038 CET	445	50319	24.121.53.1	192.168.2.5
Jan 15, 2025 14:06:28.787349939 CET	445	50437	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:28.787604094 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:28.787605047 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:28.787605047 CET	50437	445	192.168.2.5	59.126.4.2
Jan 15, 2025 14:06:28.792574883 CET	445	50437	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:28.792606115 CET	445	50437	59.126.4.2	192.168.2.5
Jan 15, 2025 14:06:28.841633081 CET	50486	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.846564054 CET	445	50486	59.126.4.3	192.168.2.5
Jan 15, 2025 14:06:28.846869946 CET	50486	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.846869946 CET	50486	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.847116947 CET	50487	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.851995945 CET	445	50486	59.126.4.3	192.168.2.5
Jan 15, 2025 14:06:28.852032900 CET	445	50487	59.126.4.3	192.168.2.5
Jan 15, 2025 14:06:28.852085114 CET	445	50486	59.126.4.3	192.168.2.5
Jan 15, 2025 14:06:28.852116108 CET	50487	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.852159023 CET	50487	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.852247000 CET	50486	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:28.856944084 CET	445	50487	59.126.4.3	192.168.2.5
Jan 15, 2025 14:06:29.622682095 CET	445	50321	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:29.622745037 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:29.622788906 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:29.622803926 CET	50321	445	192.168.2.5	97.151.157.1
Jan 15, 2025 14:06:29.627619028 CET	445	50321	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:29.627630949 CET	445	50321	97.151.157.1	192.168.2.5
Jan 15, 2025 14:06:29.637938023 CET	50514	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:29.642776012 CET	445	50514	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:29.642849922 CET	50514	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:29.642883062 CET	50514	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:29.647713900 CET	445	50514	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:29.684968948 CET	50518	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.689841986 CET	445	50518	97.151.157.2	192.168.2.5
Jan 15, 2025 14:06:29.689934969 CET	50518	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.690068960 CET	50518	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.690346003 CET	50520	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.694914103 CET	445	50518	97.151.157.2	192.168.2.5
Jan 15, 2025 14:06:29.695051908 CET	50518	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.695099115 CET	445	50520	97.151.157.2	192.168.2.5
Jan 15, 2025 14:06:29.695158005 CET	50520	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.695178986 CET	50520	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:29.699970961 CET	445	50520	97.151.157.2	192.168.2.5
Jan 15, 2025 14:06:30.028599024 CET	50537	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:30.033401012 CET	445	50537	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:30.033514023 CET	50537	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:30.033550024 CET	50537	445	192.168.2.5	126.66.235.1
Jan 15, 2025 14:06:30.038368940 CET	445	50537	126.66.235.1	192.168.2.5
Jan 15, 2025 14:06:30.169523001 CET	445	50324	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:30.169594049 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:30.169656992 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:30.169707060 CET	50324	445	192.168.2.5	192.201.193.1
Jan 15, 2025 14:06:30.174509048 CET	445	50324	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:30.174530029 CET	445	50324	192.201.193.1	192.168.2.5
Jan 15, 2025 14:06:31.409724951 CET	445	50514	191.52.146.9	192.168.2.5
Jan 15, 2025 14:06:31.409781933 CET	50514	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:31.622711897 CET	445	50329	98.93.158.1	192.168.2.5
Jan 15, 2025 14:06:31.622776031 CET	50329	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:32.844072104 CET	50344	445	192.168.2.5	44.53.29.1
Jan 15, 2025 14:06:32.844121933 CET	50456	445	192.168.2.5	182.175.152.2
Jan 15, 2025 14:06:32.844268084 CET	50340	445	192.168.2.5	163.149.244.2
Jan 15, 2025 14:06:32.844333887 CET	50514	445	192.168.2.5	191.52.146.9
Jan 15, 2025 14:06:32.844345093 CET	50350	445	192.168.2.5	31.211.10.2
Jan 15, 2025 14:06:32.844362020 CET	50329	445	192.168.2.5	98.93.158.1
Jan 15, 2025 14:06:32.844392061 CET	50335	445	192.168.2.5	96.157.153.1
Jan 15, 2025 14:06:32.844398022 CET	50332	445	192.168.2.5	64.111.49.1
Jan 15, 2025 14:06:32.844438076 CET	50338	445	192.168.2.5	85.81.219.1
Jan 15, 2025 14:06:32.844438076 CET	50343	445	192.168.2.5	130.222.120.1
Jan 15, 2025 14:06:32.844475985 CET	50353	445	192.168.2.5	73.167.67.1
Jan 15, 2025 14:06:32.844499111 CET	50354	445	192.168.2.5	11.170.45.1
Jan 15, 2025 14:06:32.844504118 CET	50348	445	192.168.2.5	16.194.92.1
Jan 15, 2025 14:06:32.844516039 CET	50357	445	192.168.2.5	95.45.80.2
Jan 15, 2025 14:06:32.844573975 CET	50360	445	192.168.2.5	122.150.85.1
Jan 15, 2025 14:06:32.844590902 CET	50363	445	192.168.2.5	191.65.111.1
Jan 15, 2025 14:06:32.844610929 CET	50366	445	192.168.2.5	117.121.16.1
Jan 15, 2025 14:06:32.844636917 CET	50369	445	192.168.2.5	209.154.74.1
Jan 15, 2025 14:06:32.844661951 CET	50372	445	192.168.2.5	13.84.89.1
Jan 15, 2025 14:06:32.844675064 CET	50374	445	192.168.2.5	213.39.119.2
Jan 15, 2025 14:06:32.844702005 CET	50402	445	192.168.2.5	41.215.205.1
Jan 15, 2025 14:06:32.844719887 CET	50376	445	192.168.2.5	149.250.22.1
Jan 15, 2025 14:06:32.844744921 CET	50384	445	192.168.2.5	166.112.213.1
Jan 15, 2025 14:06:32.844769955 CET	50397	445	192.168.2.5	48.181.201.2
Jan 15, 2025 14:06:32.844804049 CET	50429	445	192.168.2.5	132.154.163.1
Jan 15, 2025 14:06:32.844821930 CET	50419	445	192.168.2.5	195.114.66.2
Jan 15, 2025 14:06:32.844835043 CET	50487	445	192.168.2.5	59.126.4.3
Jan 15, 2025 14:06:32.844861031 CET	50470	445	192.168.2.5	90.146.13.1
Jan 15, 2025 14:06:32.844950914 CET	50520	445	192.168.2.5	97.151.157.2
Jan 15, 2025 14:06:32.844990969 CET	50537	445	192.168.2.5	126.66.235.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 14:05:26.341898918 CET	57313	53	192.168.2.5	1.1.1.1
Jan 15, 2025 14:05:26.353187084 CET	53	57313	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 14:05:26.341898918 CET	192.168.2.5	1.1.1.1	0x956e	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 14:05:17.614533901 CET	1.1.1.1	192.168.2.5	0x71d3	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 14:05:17.614533901 CET	1.1.1.1	192.168.2.5	0x71d3	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 15, 2025 14:05:26.353187084 CET	1.1.1.1	192.168.2.5	0x956e	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 14:05:26.353187084 CET	1.1.1.1	192.168.2.5	0x956e	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49756	104.16.167.228	80	3620	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:05:26.391333103 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:05:26.878580093 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:05:26 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902613ce9826f5fa-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49762	104.16.167.228	80	5404	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:05:27.224606037 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:05:27.706903934 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:05:27 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902613d3bc48c343-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49781	104.16.167.228	80	1988	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:05:28.254964113 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:05:28.728919983 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:05:28 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902613da282f7c9a-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	1
Start time:	08:05:21
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll"
Imagebase:	0xe90000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:05:21
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:05:22
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:05:23
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\bC61G18iPf.dll,PlayGame
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:05:23
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",#1
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:05:24
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A2882AE67399CA859277CFFE04F10E18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2302360963.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2302246591.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:05:25
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A2882AE67399CA859277CFFE04F10E18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2317856826.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2960358590.0000000001EC2000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2317713903.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2960608445.00000000023E2000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:05:26
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\bC61G18iPf.dll",PlayGame
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:05:26
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	E19F8CB58CEEDE7D421A4BD320109DEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2325863746.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:05:27
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A2882AE67399CA859277CFFE04F10E18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.2328376091.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.2336851400.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.2336993544.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.2328520329.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:05:27
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	E19F8CB58CEEDE7D421A4BD320109DEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.2336119939.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.2336486980.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000006.00000002.2328318271.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2328272891.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328370168.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328459495.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2328318271.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2328272891.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328370168.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328459495.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2328318271.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2328272891.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328370168.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328459495.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2328318271.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2328272891.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328370168.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328459495.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2328318271.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2328272891.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328370168.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328399065.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328459495.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2328543666.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 5404, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2959347014.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2959327182.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959367468.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959443691.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959462889.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2959347014.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2959327182.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959367468.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959443691.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959462889.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000007.00000002.2959347014.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2959327182.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959367468.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959443691.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959462889.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA

Memory Dump Source

Source File: 00000007.00000002.2959347014.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2959327182.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959367468.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959443691.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959462889.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2959347014.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2959327182.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959367468.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959385178.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959426522.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959443691.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959462889.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2959623185.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 940, Parent PID: 3620COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(000000FF,?,0000012C,?,00000000), ref: 00406C91

Strings

/..\, xrefs: 00406E03
\../, xrefs: 00406DE7
/../, xrefs: 00406DF5
\..\, xrefs: 00406DD9

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 00491be41aa5427f31b8b9a32a9b57da7e2e6dff5cb5143b376a5dd6570fe62a
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 00491be41aa5427f31b8b9a32a9b57da7e2e6dff5cb5143b376a5dd6570fe62a
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptGenKey, xrefs: 00401AAD
CryptDestroyKey, xrefs: 00401A86
CryptImportKey, xrefs: 00401A79
CryptDecrypt, xrefs: 00401AA0
CryptEncrypt, xrefs: 00401A93
CryptAcquireContextA, xrefs: 00401A71
advapi32.dll, xrefs: 00401A55

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

2!@, xrefs: 004016C5
WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 283026544-2846199637
Opcode ID: 132a2296b2ff258622cfdc5610791c464188c2d7d3f69318739cc377377d902c
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 132a2296b2ff258622cfdc5610791c464188c2d7d3f69318739cc377377d902c
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 004014B3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

2!@, xrefs: 004016C5
WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 283026544-2846199637
Opcode ID: d9b1b6046084e2d9d8768fc4d8ac5865fa55d0fd0db9d64480dfd0594076ccd5
Instruction ID: 4f5db7b03fbae4bd1a74ba09c9783dfc14942441ffc150fb06ee42d3f2d97cbc
Opcode Fuzzy Hash: d9b1b6046084e2d9d8768fc4d8ac5865fa55d0fd0db9d64480dfd0594076ccd5
Instruction Fuzzy Hash: EF511C71901219AFDB219F95CD88BEEB7BCEB08380F1444BAF515F61A0D7399A45CF28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000), ref: 00402A3D

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 71b96a770fe0ecad1357f1a23098f25de26b1f41743f28900a51c64cf9a44166
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: 71b96a770fe0ecad1357f1a23098f25de26b1f41743f28900a51c64cf9a44166
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

kernel32.dll, xrefs: 00401727
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
CloseHandle, xrefs: 0040178C
MoveFileW, xrefs: 00401765
MoveFileExW, xrefs: 00401772
ReadFile, xrefs: 00401758
DeleteFileW, xrefs: 0040177F

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00401FE7 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 132stringfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000208), ref: 0040201F

Part of subcall function 00401225: GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
Part of subcall function 00401225: wcslen.MSVCRT(?), ref: 00401279
Part of subcall function 00401225: wcslen.MSVCRT(?), ref: 00401298
Part of subcall function 00401225: srand.MSVCRT(00000001), ref: 004012A1
Part of subcall function 00401225: rand.MSVCRT ref: 004012AE
Part of subcall function 00401225: rand.MSVCRT ref: 004012C0
Part of subcall function 00401225: rand.MSVCRT ref: 004012DD

__p___argc.MSVCRT ref: 00402030
__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

CopyFileA.KERNEL32(?,tasksche.exe,00000000), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?), ref: 004020BB

Strings

TaskStart, xrefs: 00402145
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
attrib +h ., xrefs: 004020DC
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
t.wnry, xrefs: 00402125

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Namerand$AttributesDirectorystrrchrwcslen$ByteCharComputerCopyCurrentFullModuleMultiPathWideWindows__p___argc__p___argvsrandstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1102508541-2844324180
Opcode ID: fa07170e1e4a4f1b7f83228e29d312703e7eca5b79990a058ae1880847bcfca1
Instruction ID: 97633fc0405850e3ba211803acf8e340ff081048f6dba40907e2b9e4b27fb4f3
Opcode Fuzzy Hash: fa07170e1e4a4f1b7f83228e29d312703e7eca5b79990a058ae1880847bcfca1
Instruction Fuzzy Hash: 3741B472500359AEDB20A7B1DE49E9F376C9F10314F2005BFF645F61E2DE788D488A28

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 004072F6
%s%s, xrefs: 00407389
\, xrefs: 00407358
:, xrefs: 0040736E

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: 4cc63effac65e5938d24d15cc637f4576a4bae754db62ced997f6066a9556017
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: 4cc63effac65e5938d24d15cc637f4576a4bae754db62ced997f6066a9556017
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
0@, xrefs: 00401157
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\Intel, xrefs: 00401C4D
%s\ProgramData, xrefs: 00401BFE

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004077C7 Relevance: 16.6, APIs: 11, Instructions: 108COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
__setusermatherr.MSVCRT(0040793C), ref: 00407836
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000), ref: 004078F2
_XcptFilter.MSVCRT(?,?), ref: 00407904

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction ID: b6807de3fe1c3e28ab0f2b8c021909998ac3013dced3884fb388c7f537fcd598
Opcode Fuzzy Hash: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction Fuzzy Hash: A34173B1C04344AFDB20AFA4DE49AA97BB8BF05310F20417FE581B72E1D7786845CB59

Function 004021E9 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?,00000040,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C), ref: 00402313
HeapAlloc.KERNEL32(00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,?), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?,?,00000000,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

kernel32.dll, xrefs: 0040228C
GetNativeSystemInfo, xrefs: 004022A1

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-192647395
Opcode ID: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401DAB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0000080A,XIA), ref: 00401DC3
LoadResource.KERNEL32(?,00000000), ref: 00401DD3
LockResource.KERNEL32(00000000), ref: 00401DDE
SizeofResource.KERNEL32(?,00000000,?), ref: 00401DF1
strcmp.MSVCRT(?,c.wnry,00000000,00000000,00000000), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55
XIA, xrefs: 00401DB6

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Resource$AttributesFileFindLoadLockSizeofstrcmp
String ID: XIA$c.wnry
API String ID: 1616299030-2505933848
Opcode ID: fa50258f105623fefeb72ee45be684de9f148c77f4537fdf01ad18e8f360a7dc
Instruction ID: c6e87d2598776ad3e20a4276f2cf7508875c12884426eb96d7428c940f8e6225
Opcode Fuzzy Hash: fa50258f105623fefeb72ee45be684de9f148c77f4537fdf01ad18e8f360a7dc
Instruction Fuzzy Hash: 93210332D001147ADB216631DC45FEF3A6C9F45360F1001B6FE48F21D1DB38DA998AE9

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
wcslen.MSVCRT(?), ref: 00401279
wcslen.MSVCRT(?), ref: 00401298
srand.MSVCRT(00000001), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407083
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00407091
memcpy.MSVCRT(?,004073A3,004073A3,?,00000000,00000000), ref: 004070CA
strcpy.MSVCRT(00000000,00000000,00000000,00000000), ref: 004070FB
strcat.MSVCRT(00000000,004073A3,00000000,00000000), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: c1a765a30f049a6e983e84c7fcdc04c319bd997b8f8109f685edbec73173bf57
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: c1a765a30f049a6e983e84c7fcdc04c319bd997b8f8109f685edbec73173bf57
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004027DF Relevance: 7.6, APIs: 5, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0,00000000), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID:
API String ID: 1241503663-0
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401906 Relevance: 7.6, APIs: 5, Instructions: 76filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF), ref: 004019A6

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 3fa06aadd2471a705e8128430a745042bdb722af5d61b5b79dd264e81bcff4b6
Instruction ID: 6e643f249040116b9fc09fba66d69f614d66e1f70caffd77d95453aa30823522
Opcode Fuzzy Hash: 3fa06aadd2471a705e8128430a745042bdb722af5d61b5b79dd264e81bcff4b6
Instruction Fuzzy Hash: B1216DB1905224AFCB219BA59D48BDF7E78EB097A0F14422BF415B22E0D7384845C7AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00000140,?,00406C12,?,00000000,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?,?,?), ref: 00405C38
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00406B8E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003), ref: 00406BB5
strlen.MSVCRT(00000140,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 00406BBC
strcat.MSVCRT(00000140,0040F818,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000), ref: 00406BD7
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00406BEE

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction ID: 093f70e5e45cef0a0e83344fd40667ee43cd8b667dee5f3d4d1a5a93074d9648
Opcode Fuzzy Hash: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction Fuzzy Hash: 06112372004218AAFB305B28DD01BAB3368EB21720F21013FF592B91D0E778A9A2975D

Function 004074A4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004074A9
??2@YAPAXI@Z.MSVCRT(00000244,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074B5
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074FF

Part of subcall function 00407527: strlen.MSVCRT(00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 0040754F
Part of subcall function 00407527: ??2@YAPAXI@Z.MSVCRT(00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 00407556
Part of subcall function 00407527: strcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00407563

??2@YAPAXI@Z.MSVCRT(00000008,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 0040750B

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??2@$??3@H_prologstrcpystrlen
String ID:
API String ID: 1367312548-0
Opcode ID: a4ccc6bdab315bb6810547fd1e784a1e5bd6969783f5aead57b9b326a8da6d2d
Instruction ID: 24e2e141a7415e54cfde60e06bc6f84240982ef19f6b767edb42695c1fbc6ce5
Opcode Fuzzy Hash: a4ccc6bdab315bb6810547fd1e784a1e5bd6969783f5aead57b9b326a8da6d2d
Instruction Fuzzy Hash: C101D431D09111BBDB166F659C02B9E3EA0AF04764F10853FF806B76D1DB78AD00C69E

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 695026124e8f63dae5928df1cfc53220c2aa5689ade8ebf819959d8fbb63d2b2
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 695026124e8f63dae5928df1cfc53220c2aa5689ade8ebf819959d8fbb63d2b2
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 0000000A.00000002.2327453512.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2327422201.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327486231.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327538249.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2327569778.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bC61G18iPf.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
bC61G18iPf.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON